There is at present no systematic way to analyze the security capabilities of a given network architecture, either for an existing network, a network being modified, or a network being deployed. That is, a security analysis of a network is primarily performed after the network has been deployed. First, the network is deployed with the network equipment's configuration based on some estimation of what type of security threats are present and how to defend against them. Then a suite of security probes is run against the network to identify security vulnerabilities. Typically, each probe only identifies one type of security vulnerability in one network element at a time. Once the probe has identified a particular security vulnerability, the network element is reconfigured to address that vulnerability and the network probing continues. Unfortunately, in addition to the inefficiencies of deploying a network in this manner, at any given point in time the level of network security depends on which security probes have been run and whether the network administrators have reconfigured the network to address the results of these security probes.
Because there is no standard methodology or security assessment tool, and no network security framework on which to base security assessments, the results of today's security assessments are heavily dependent on the skill level of the personnel performing the assessment. The individual performing the security assessment also determines the questions to be asked during the security interview process, as well as decides which tests should be performed and how they should be performed. The individual performing the security assessment also keeps track of the information and data that is gathered during the assessment and correlates this information and data to identify actual security vulnerabilities (filtering out the false-positives). Finally, once the security vulnerabilities have been identified, the individual must track down recommendations to address these vulnerabilities from publicly accessible sources, (or develop recommendations if none exist) and manually put together a report for a final read-out to their customer. Because of the complex nature of all of these tasks, most individuals take a “cookie-cutter” approach to performing security assessments in that they ask the same questions, run the same tests, etc. for every type of customer in a “one-size fits all” manner. Thus, there are quality control issues and inefficiencies inherent in the current practice.